Threat Response - Microsoft Exchange Server Elevation of Privilege Vulnerability
Date: 15-2-2024
On 13 February 2024, Microsoft warned about a critical security flaw in Exchange Server 2019 and 2016. This vulnerability, tracked as CVE-2024-21410, allows an attacker to relay captured NTLM hashes against an Exchange Server to perform actions as compromised user. The vulnerability received a CVSS score of 9.8 out of 10.
Description
CVE-2024-21410 is a severe privilege escalation flaw in Microsoft Exchange Server (CVSS score: 9.8). An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. Then, the attacker could relay a user's leaked Net-NTLMv2 hash against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.
Impact
We estimate the impact of this vulnerability as HIGH since successful exploitation enables the attacker to acquire the same privileges as the victim client and conduct operations on the Exchange server, acting on behalf of the victim.
Risk
We estimate the risk of this vulnerability as HIGH since the NTLM credentials can be obtained easily by exploiting other products such as Microsoft Outlook and then relayed to the to vulnerable Exchange Server. Furthermore, Microsoft reports active exploitation of this vulnerability.
Mitigation
To mitigate this vulnerability, we urge readers to apply the patches released by Microsoft as part of the "Patch Tuesday" cycle.
- Exchange Server 2019: Prior to the Exchange Server 2019 Cumulative Update 14 (CU14) update, Exchange Server did not enable NTLM credentials Relay Protections (called Extended Protection for Authentication or EPA) by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook). Exchange Server 2019 CU14 enables EPA by default on Exchange servers.
- Exchange Server 2016: Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23 with the August 2022 security update (build 15.01.2507.012). We strongly recommend downloading the latest security update for Exchange Server 2016 CU23 prior to turning on the Extended Protection by the help of the ExchangeExtendedProtectionManagement.ps1.
Please note that if you already ran the script on Exchange Server 2019 CU13 or earlier then you are already protected from this vulnerability. However, we strongly recommend installing the latest cumulative update. You can determine that Extended Protection is configured as expected by running the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.
What should you do?
Follow the mitigation steps listed above to mitigate the vulnerability.
What will Northwave do?
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave.nl
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
[1]: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21410
[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2024-0062
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.